Squid Proxy Installation
Procedure :1
1).Install squid and squid-common
#sudo aptitude install squid squid-common
2).Edit the squid config file.
#sudo vi /etc/squid/squid.conf
2.1.Naming the proxy
Its important that Squid knows the name of the machine. To do this, locate the line visible_hostname.
For example, if the machine is called ubuntu insert:
visible_hostname ubuntu
2.2 Choosing the Port
By default, the proxy server will use port 3128. To choose another port, locate the line:
http_port 3128
and change the port number, for example:
http_port 3177 or same also no problem
2.3.Choosing the interface
By default the proxy server will listen on all interfaces. For security reasons, its better to put it on your local network only. For example, if the network card connected to your LAN has IP 10.0.0.1, change the line:
http_port 10.0.0.1:3177
2.4. Setting access rights and priorities
By default, nobody else is allowed to connect to the proxy server. A list of permissions must be created.
For example, we will define a group encompassing the local network.
Find the line beginning with acl localhost...
At the end of the section, add:
acl lanhome src 10.0.0.0/255.255.255.0 (lanhome is a random name chosen).
2.5. Authorizing access to group
Now that the group is defined, we will authorise it to use the proxy.
Locate the line http_access allow ... and add below (before the line http_access deny all):
http_access allow lanhome --->Localhost(Ip Address)
2.6. Allow the use non-standard ports
By default, Squid allows HTTP traffic only on specific ports (e.g. 80). This can cause problems on websites using other ports.
For example, http://toto.com:81/images/titi.png will be blocked by Squid
To avoid this deadlock, find the line http_access deny! Safe_ports and the edit it to:
# http_access deny! Safe_ports
3).Starting the Proxy
Restart the proxy to apply the modifications you made. Type:
sudo /etc/init.d/squid restart
Procedure 2:
Step1:
======Install Squid Proxy Server====
sudo aptitude install squid squid-common
step2:
sudo sysv-rc-conf squid on
sudo service squid start
sudo service squid stop
sudo service squid restart
Step3:
1).# File: squid.conf
visible_hostname cache-001
visible_hostname localhost
2).Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,
httpd_accel_host virtual: Squid as an httpd accelerator
http_accel_port 80: 80 is port you want to act as a proxy
httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
http_access allow localhost: Squid access to LAN and localhost ACL only
http_access allow lan: -- same as above --
3).================#restricting web access by time=============
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours
4).==========#Restricting Access to specific Web sites=============
# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
linuxhomenetworking.com
# File: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com
=============#Configuring Restricted and Access specific Web sites==========
#
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites
5).==================#Restricting Web Access By IP Address================
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0
=============#Configuring Restricted IP Address==========
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network
6).
===Version 2.6 to 3.0: These versions versions of Squid simply require you to add the word "transparent" to the default "http_port 3128" statement. In this example, Squid not only listens on TCP port 3128 for proxy connections, but will also do so in transparent mode.
http_port 3128 transparent
===Version 3.1+: Newer versions of Squid also add the “intercept” keyword to the "http_port 3128" statement when transparent proxying uses an HTTP redirect. If redirection isn’t being used the “transparent” keyword is still used. Here is an example:
http_port 3128 intercept
Or
http_port 3128 transparent
Step 4:
========Configuring iptables to Support the Squid Transparent Proxy=======
==Squid Server and Firewall – Same Server (HTTP Redirect)=============
If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
iptables -A INPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp \ --dport 3128
iptables -A OUTPUT -j ACCEPT -m state \ --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \ --dport 80
iptables -A INPUT -j ACCEPT -m state \ --state ESTABLISHED,RELATED -i eth0 -p tcp \ --sport 80
iptables -A OUTPUT -j ACCEPT -m state \ --state ESTABLISHED,RELATED -o eth1 -p tcp \ --sport 80
Note: This example is specific to HTTP traffic. You won't be able to adapt this example to support HTTPS web browsing on TCP port 443, as that protocol specifically doesn't allow the insertion of a "man in the middle" server for security purposes. One solution is to add IP masquerading statements for port 443, or any other important traffic, immediately after the code snippet. This will allow non HTTP traffic to access the Internet without being cached by Squid.
=========Squid Server and Firewall – Different Servers==========
If the Squid server and firewall are different servers, the statements are different. You need to set up iptables so that all connections to the Web, not originating from the Squid server, are actually converted into three connections; one from the Web browser client to the firewall and another from the firewall to the Squid server, which triggers the Squid server to make its own connection to the Web to service the request. The Squid server then gets the data and replies to the firewall which then relays this information to the Web browser client. The iptables program does all this using these NAT statements:
iptables -t nat -A PREROUTING -i eth1 -s ! 192.168.1.100 \ -p tcp --dport 80 -j DNAT --to 192.168.1.100:3128
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \ -d 192.168.1.100 -j SNAT --to 192.168.1.1
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.1.100 \ -i eth1 -o eth1 -m state --state NEW,ESTABLISHED,RELATED \ -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -s 192.168.1.100 \ -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED \ -p tcp --sport 3128 -j ACCEPT
In the first statement all HTTP traffic from the home network except from the Squid server at IP address 192.168.1.100 is redirected to the Squid server on port 3128 using destination NAT. The second statement makes this redirected traffic also undergo source NAT to make it appear as if it is coming from the firewall itself. The FORWARD statements are used to ensure the traffic is allowed to flow to the Squid server after the NAT process is complete. The unusual feature is that the NAT all takes place on one interface; that of the home network (eth1).
======Finally Repeat step2:============
0 comments:
Post a Comment